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I. INTRODUCTION 


Previous to the enactment of the "Privacy Act of 1974", the 
Main thrust of computer literature was toward the depth to 
which the laws of this country should regulate personal 
information processed by computers and the extent to which 
individual privacy needed to be safeguarded. It is not 


unusual to obtain a copy of one of the many "horror stories" 


associated with computers or to see a comic of an 
madgividual's life being threatened by the invalid, 
Inaccurate information in a computer. What was not 


emphasized, however, is that the machine itself is not the 
weet Lain: the procesSing of the contents of that machine by 


human beings is the crux of the issue. 


The purpose of this thesis is to discuss some of the 
more recent issues on individual privacy and security 
related to the Computer Industry today and determine exactly 
what computer professionals should focus on to implement 


today's legislation. 7 


A basic definition of privacy and security will be 
discussed along with the "Privacy Act of 1974" and its 
implications toward computer operations. The influence of 
this legislation in the following areas will be considered: 

1. Management 

ci Data : Accuracy and Flow 

3. Hardware Considerations 

4. Software Considerations 

Se Cost 





A. DEFINITIONS 


Privacy is Ine O individuals; | groups or 
©Eganizations to eontzor the collection, use, OT 
dissemination of personal identifiable information." [24] In 
another context, the meaning of privacy 1s the right to be 
left alone. The former definition, most accepted in the 
industry today, is assuredly less restrictive in nature 
Since it justifies record-keeping systems and disregards the 
question raised by the latter of the right to gather any 


personal information whatsoever. 


Security is "the realization of protection for hardware, 
software, and data." [24} In this sense, privacy therefore 
implies protecting the individual whereas security protects 
the organization. In order to maintain privacy, 2nforcement 
of security is necessary. It is understood that one area 


cannot be considered without overlapping into the other. 


To establish clarity, the following definitions are 
mooted from Section 552(a) of the "Privacy Act of 1974". 
[54] 


The term ‘agency' includes Federal agencies and those 
government contractors who maintain a system of records to 
accomplish a function of a Federal agency. Subdivisions of 
an agency may be defined as agencies. It is determined by 
the higher unit as to which of its components will be 
subject to the Freedom of Information Act rather than the 
Privacy Act. Thie eoet Cece ot allowing flexible internal 
compliance is intended to further the purpose of the acts, 
not to defeat them. [49] 





"The term "individual! means a citizen of the United 
States or an alien lawfully admitted for permanent 
residence." [54] 

The intention of this definition is to "distinguish 


between the rights which are given 


to 


he eiccin as aN 


individual under this Act and the rights of proprietor ships, 


businesses, 


covered by this Act. 


fhe bill 


information 


the 


such 


leaves untouched 


activities for 
regulations. 
the 


from coverage 


banks devoted solely to foreign nationals or 


Boe State Department, 


other agencies for the purpose of dealing 


and corporations which are not 


has definition was also 


intended to pe 


This distinction was to insurs that 


Federal Government's 


purposes as economic 


included to exempt 


of the bill intelligence files and data 


Maintained by 


the Central Intelligence Agency and 


With nonresident 


aliens and people in other countries." (Senate Report 
1183, p. 79). 

"The term 'maintain' includes maintain, collect, use, or 
disseminate." [54] Within the Privacy Act, two connotations 


er 
actions which apply to the act; and 
necessarily physical custody) over, 


"maintain" are used: first, to denote the record keeping 


second, Control (not 


and thus responsibility 


and accountability for record systems. 


"The ‘record!’ 


grouping 


term 
of 


means any 


information about an 


Maintained by an agency, including, 


education, financial transactions, 


criminal or employment history and 


or the identifying numbar, symbol, or 
particular assigned to the individual, 
voice print or a photograph." [54] 


collection, 
individual that 


but nor limited mo 


iten, Or 

is 
his 
medical history, and 
that contains his name, 
Other identifying 


such as a finger or 





wan tirecord'* : 

- means any item of information about an individual that 
includes an individual identifier; 

- includes any grouping of such items of information (it 
should not ke confused with the use of the term record in 
the conventional sense or as used in the automatic data 
processing (ADP) community) ; 

- does not distinguish between data and information; 
both are within the scope of the definition; and 

zmeilndes individual identifiers in any form includiag, 
but Toe e core ingen prints, vorce prints and 


photographs." [49] 


As is stated later, understanding this definition is 
imperative in determining exactly which requirements of this 
legislation apply to each computer system of records. 
Record as used in the Privacy Act extends beyond the 
conventional computer science context. It can include one 
descriptor about an individual Or many descriptors. 
Therefore what is considered a data field or group of fields 
in a computer record could be established as a record in the 
legal sense. This means that a computer record could 


consist of many legal records. 


"The term ‘system of records! means a group Of any 
records under the control of any agency from which 
information is retrieved by the name of the individual or by 
some identifying number, symbol, or other identifying 
particular assigned to the individual. [54] The key phrase 
in this definition is ‘retrieved by'. Those records which 
are not obtainable by use of a 'personal identifier' are 
excluded from the act even though the possibility of using 
the “identifying particular! as a key field in record 
retrieval exists. According to the Office of Managemant and 


Budget (OMB) Guidelines, 'agencies' should consider two 


19 





factors in determining which systems are covered: LUT eke lee 
ability to comply with the requirements of the Act and 
facilitate the exercise of the rights of individuals; and 
....the cost and convenience to the agency, but only to the 
extent consistent with the first consideration." [49] Also, 
section 552k(4) lists specific exceptions to those systems 


of records covered by the Act. 


"The term "statistical record! means a record ina 
system of records maintained for statistical research or 
reporting purposes only and not used in whole or in part in 
making any determination about an identifiable individual, 


Except 2S provided by section 8 of title 13." (547 


ista tistical record", or purposes of this Act, is a 
record ina system of records that is not used by anyone in 
making any determination about an individual. This means 
ME iOr a Ee€coOrd to qualify as a "statistical record", it 
must be held ina system which is separated from systems 
(some perhaps containing the same information) which contain 
records that are used in any manner in making decisions 
about the Flobts, benefits, or entitlements of an 
identifiable individual, The term "identifiable individual" 
1s used to distinguish determinations about specific 
individuals from determinations about aggregates or 
individuals as, for example, census data are used to 


apportion funds on the basis of population. 


By this definition, it appears that some so-called 
"research records" which are only used for analytic purposes 
qualify as "statistical records" under the Act if they are 
not used in making determinations. A "determination" is 
defined as "any decision affecting the individual which is 
in whole or in part based on information contained in the 
record and which is made by any person or any agency." 
Mouse Report 93-1416, p.15.) 
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Most of the records of the Bureau of the Census are 
considered to be "statistical records" even though, pursuant 
to section 8 of title 13, United States Code, the Census 
Bureau is authorized to "furnish transcripts of census 
records for genealogical and other proper purposes and to 
make special statistical surveys from census data for a_ fee 


upon request." (House report 93-1416, p. 12) 


Mc pla this- definition, it “might be helpful to 
distinguish three types of collections or groupings of 
Moc mation about individuals: (1) statistical compilations 
which, because they cannot be identified with individuals, 
are not subject to the Act at all; (2) "records" maintained 
solely for the purpose of compiling statistics - which are 
the types of records covered by section 552(a) (6) of the 
memacy Act; and (3) "records" on individuals which áre used 
both to compile statistics anā also for other purposes, e.g. 
a criminal history record used both to compile individual 
statistics and to assist a judge in making a sentencing 
decision about the individual to whom the record pertains, 


Batch 1s not a "statistical record." (49) 
"The term ‘routine use! means, with respect to the 
disclosure of a record, the use of such record for a purpose 


which is compatible with the purpose for which it was 
collected." [54] 


Pee LEGISLATION 


In legislating, the right of privacy must be balanced 


against equally valid public interests in freedon of 
information, national defense, foreign policy and law 
enforcement. 


12 





On the international level, there have been three 


“approaches to the regulation of privacy: 


1. Administrative self-regulation which was employed by 
ehe British. 


2. Omnibus licensing and regulation, the approach of 


Sweden and Germany. 


3. An area-by-area provision of court enforceable citizen 


rights which is the American viewpoint. 


The British "Data Surveillance Bill of 1969" establishes 
a Registrar to keep a register of all data banks, public and 
private. This register contains details of the data kept by 
the data bank, the person responsible for the dat bank, the 
purpose for which data may be used, and by wnom. The 
register is subject to both public and private inspections. 
Under this bill, each person shall receive a printout of the 
data stored about himself including the purpose for which it 


is used when the data bank is established. 


Afterward, for a fee the individual may obtain a 
printout of the data, their purposes and a listing of all 
the recipients of such data. If an individual desires to 
remove inaccurate, unfair or out of dat? information, he may 
apply for an order to remove such data and all recipients 
are notified. The law further states that each operator of 
a data bank is liable for damages when he permits inaccurate 
data to be supplied which can be harmful to a person. 
Punishable offenses include failure to accurately register a 
data bank, use of the data for nonregistered purposes, 
allowing access to persons other than those entered on the 
register, and aiding and abeting the wroncful use of the 
data. 


13 





Various West German States have passed data protection 
acts that establish certain measures of control over 
government files. Sweden, the first country to pass a law 
on privacy, established a federal Data Inspection Board. 
This organization requires the licensing of all commercial, 
computer-operated record-keeping systems in accordance with 
established government standards including conditions for 
their operation. The board additionally provides advice on 


the conduct of government data banks. 


France has studied the problem, but has taken no 
definitive action. The Department of Communication and 
Justice in Canada has produced substantial studies and 


recommendations on the issue of privacy, however, no 


legislation has been passed at this time. 


It is of special importance that Canada and the United 
as S be Strengthened in the area of privacy regulation 
because of the enormous number of vrivately owned American 


companies headquartered in Canada and the United States. 


Questions regarding the legal regulation and 
restrictions on the private records of Canadian citizens 


which are owned by American companies are still unanswered. 


The concern over invasion of privacv has received 
special attention in the United States as a result of 
numerous developments, among which are the GSA proposal for 
a comprehensive computer network which could store personal 
information on file in several different Federal agencies, 
and increasing use of the social security number asa 


Seandard Universal identifier. 


Since policy conflicts arise, as in all government 


legislation, two approaches are taken to resolve these 
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differences. The agency-by-agency resolution which imposes 
upon each agency "....the responsibility for regulating 
dissemination of personal data persuant to legislative 
guidelines - including the duty to obtain first the written 
consent of the subject." [32] This approach fixes 
responsibilities, however, some agencies may have to expand 
their own information collecting activities to obtain 
directly from the subject what previously was obtained 
indirectly from other agencies. The second approach 
classifies and regulates programs and types of data systems. 
"This approach relieves the burden on some agencies, but 
would not distinguish the portions of such records which 
could usefully and properly Der disclosed". [32]. 4 
combination of both approaches has been implicit in most 
bills introduced in Congress, but the need for a study of 
the proper balance of the values in conflict still arises. 
One reason for this discord is that presently there is no 
legal definition for privacy. It has been established, 
however, that each individual's idea of privacy dates Web 


age, experience and environment. 


Mice llPinivacy Act or 19/4" (P.L. 93-579) amends Chapter 5 
of Title 5 of the United States Code (section 552a). TE 
applies to U.S. Federal Government Agencies and private 
contractors who are performing a record-keeping service for 
a Federal agency and is based on the 1973 revort by the 
Committee on Personal Data Systems of the Department of 
Health, Education and Welfare entitled "Records, Computers 
Pam cne Rights of Citizens". [55] This landmark in computer 
history created a set of standards for the collection, 
Maintenance, use and dissemination of personal information 
in both manual and automated systems. The initial report 


contained a set of 'fair information practices’. 


The purpose of the Code of Fair Information Practices 


was to define the desired behavior of a data bank, the 
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desired relation between the data subject and the data bank, 
Anette establish certain rights for each citizen. ale IO E 
the five basic principies was incorporated into the Privacy 


¡e 


1. There must be no personal data record-keeping system 


whose very existence 1s secret. 


2a There must bea way for an individual to find out 
what information about him is in a record and how it is 


used. 


3. There must be away for an individual to prevent 
information about him that was obtained for one purpose from 
being used or made available for other purposes without his 


consent. 


4. There must be a way for an individual to correct or 


mend a record of identifiable information about hin. 


Se Ay organization creating, Maintaining, using or 
disseminating records of identifiable ersonal data must 
assure the reliability of the data for their intended use 


and must take precautions to prevent misuse of data. [55] 


These principles as incorporated in the Privacy Act 
(section 552(b)) include the permitting of exceptions to the 


Act when determined by specific statutory authority. 


1. Provisions are provided which require the 
publication of an annual notice in the Federal Register and 
public notice of changes to existing systems of records as 


well as new systems. 


2: Any individual is permitted to view and recsive a 


copy of any record containing personal information about him 


16 





in those systems covered by the Act exclusive of exempt 
disclosures. He may also see an accounting of his record to 


determine how the information in it has been used. 


3. Unless prior written consent has been obtained from 
an individual, all Federal agencies are prohibited from 
disclosing information unless its use is consistent with the 


Sere ginal intent of the collection of such information. 


4. The Privacy Act specifies procedures which must be 
implemented by the agencies to allow an individual the 
possibility of amending Or changing his Eecord. 
Additionally, it requires that said agencies must review 
initial refusals to amend such records and state the reason 


mom this action. 


e So eco eco mas used Dy an -agency which 
Maintains the system of records shall insure their accuracy, 
relevance, timeliness and completeness "as is reasonably 
necessary to assure fairness to the individual." [54] These 
agencies are to implement administrative, technical and 
physical safeguards "to insure security and confidentiality 


eee records." [ 10] 


Additionally, the Privacy Act clearly states that 
responsibility for effective personal information systems 
and integrity and accuracy of the data which comprise then, 
rests with those individuals who manage and employ such 
systems. If this law is not implemented, civil penalties 


Will be awarded. 


17 





In section 552e of the Privacy Act, certain requirements 
are listed for each agency to fulfill. To implement these 
conditions, the Office of Management and Budget Privacy Act 
Guidelines of July 1, 1975 have been created to further 
explain the measures to be enacted. Since it is the 
responsibility of the personnel who maintain the record 
systems covered by the Privacy Act to insure the accuracy 
and integrity of personal information, certain procedures 
should be established and fulfilled to comply with this 
legislation. Although, it is beyond the scope of this 
discussion to list precisely what must be accomplished in 
each computer installation, those measures applicable to all 
Situations will be mentioned. By studying the instaliation 
and establishing the objectives and goals to be attained in 
specific circumstances, an efficient review and plan of 


action can be developed with the least amount of effort. 


A. MANAGEMENT CONSIDERATIONS 


The first consideration is to decide which svstems of 
records are covered under the Privacy Act. This may seem a 
Simple task: however, due to the vague and complex 
definition in the law, serious thought and study should be 
spent on this decision. This leads to the necessity of a 
Manager Knowing the current legislation. (The Privacy Act 
and OMB Guidelines are in the forefront today. Among other 
pertinent literature is the Freedom of Information Act and 


H.R.1984). Realizing that not all managers have the time to 
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read the legislation, nor the legal expertise necessary to 
understand all the implications or details, the need for 
education arises. An alternative approach would be to 
appoint individuals knowledgeable in both fields, law anc 
computer science, to study the situation and present a 
summary (in layman's terms) available to all computer 
installations. This would not only save much time and avoid 
unnecessary complications, but would be an excellent mode of 
educating a vast number of computer professionals in a short 
time. It is inevitable that private industry will be 
affected within the next three years and the need for trapid 
understanding is mandatory. Various states have legislation 


already in effect. 


There are measures to protect computer professionals 
which can be accomplihed before more legislation goes into 
a rect. The Association for Computing Machinery has 
Suggested rules of conduct for personnel in the computer 
industry. These guidelines cover three categories of 
professional conduct: relations with the public, relations 
With employer and clients, and relations with other 


prcfessionals. 


To insure a high quality of personnel, it is desirable 
to establish similiar standards throughout the profession. 
Other approaches, previously mentioned in literature, have 
been licensing or bonding of personnel and certification. 
By insuring the competence and integrity of personnel, the 
installation thus increases protection against illegal 
activities, intentional or not, and decreases the threat of 
internal subversion. These standards must continue to 
demand high quality work. This means accuracy of data. 
More will be said of this in later sections. In addition to 
the personnel, assurance of adequate physical protection 
should be established. The National Bureau of Standards and 


the Association of Computing Machinery have published 
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security checklists as guides in determining proper security 
at each installation. {24,46] These are excellent starting 
points in planning the protection of an organization 
regardless of the age or style of the computer equipment. 
Questions applicable to all phases of computer technology 


Will be found in these references. 


Presently, there is some level of security at all 
installations. Controlled personnel access to the computer 
is an important factor in maintaining secure operations. 
There are various ways to attain restricted entrance. The 
point here is to consider who has the authority to obtain 
admission to the facility and how difficult it is for an 
unauthorized individual to achieve access. The next step is 
to determine which method to use and to what degree, if any, 
restricted access 1S necessary. The computer environment 
should not be overlooked in deciding how to impiement 
protection measures. The location of the facility and the 
Madina in which it is housed, if poorly guarded and 
constructed, may lead to infiltration and destruction of 
personal information or other valuable files. Thus computer 
personnel could be accused of negligence and appropriate 


penalties would be awarded. 


Once the overall physical environment has been analysed 
and appropriate decisions made as to what action, if any, is 
required, the computer equipment and software should be 
evaluated for compliance. After a final review of the 
equipment and support facilities, the final step is to 
provide for future analysis, otherwise known as periodic 
auditing. There are various methods for accomplishing a 
reevaluation of existing systems. One of the most effective 
being management by exception. This does not preclude the 
possibility of other less important factors influencing the 


quality of an efficient system, but rather aids in 
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establishing which attributes most significantly hamper 


computer operations and implementation of objectives. 


Before concluding this portion of the discussion, a 
remark on costs should be included. Those elements which 
must be weighed in management of computer facilities all 
contribute to some degree to the cost of compliance. The 
basic question to be resolved is which action should be 
taken at a reasonable expense. TE every computer 
installation takes a passive role toward the legal 
implications and responsibilities set forth by government, 
have the efforts of individuals to maintain their right to 
privacy and their right to have accurate facts pertaining to 
their lives contained in these machines been for nought? 
Does this attitude reflect the typical Manager's 
position...... is this an enhancement or hindrance to the 
computer profession? Should every manager wait until the 
Other organization is penalized or should he use the prudent 
man approach? It is suggested that each computer facility 
review its operations and procedures, then a decision as to 
what degree of compliance is necessary would be made to the 


benefit of the entire community. 


B. DATA : ACCURACY AND FLOW 


This section will discuss those factors which influence 
how data is collected and what factors affect the quality of 
exactness achieved in information retrieval. The various 
methods employed in data collection have a commonality of 
factors which influence the degree of accuracy attained in 
initial accummulation. The nature of the data may cause 
unavoidable error. For example, if the specific numeric, 
alphabetic or special characters are written in an 


undecipherable penmanship it is left to the descretion of 
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the individual who enters that data into the computer system 
as to whether it is correct or not. Meuse Ps NOE to Say 
mistaken data is intentionally created, but obviously the 
need for validation arises. Which validation procedure is 
implemented is the decision of those perscnnel responsible 
for data accuracy. Analysis of input data should include 
whether or not a particular item is still necessary for the 
purpose for which it was intended. If the data is no longer 
required, it should be deleted from the input procedures. 
Retention of data for longer than needed could also cause 
harm wo. individuals. There is no standard time for 
determining when this information is obsolete as this 
depends on the status of its function, i.e. if this purpose 
was satisfied, or the age of the information causes it to be 
unreliable, or if its only value is historical. Other 
elements involved in error control and collection include 
the authority for assembling the data, who does the actual 
collection and why. Not to be missed is the source of the 
med. If the data collected is not correct initially, error 
checking at the computer center level may not be effective. 
The legal implication, of course, is: Who is responsible, 
the individual who inserted false data or those who maintain 


AE? 


The legislative view is to assume a relationship of 
trustworthiness between the data subject and the receiver of 
the information. If the individual for whatever motive, 
enters false data into the system, how does the computer 
industry protect itself against lawsuits for invalid data? 
Idealistically, this Situation would never arise. 
Bealistically, protection of both parties should be 
established. 


mine toro Which Contains the data should be examined for 


Clarity and readability. A poorly designed document can 


lead to errors by the most well-intentioned procedure. If 
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miatedata 1s not inscribed directly into the system, such as 
from a terminal, are the initial forms (source documents) 
which contain that information carelessly discarded or is 
some procedure implemented to insure those documents do not 


reach unauthorized personnel? 


This leads to protection of the data once it has been 
entered into the systen. Determinations as to the 
possibility cf maintaining dedicated systems for personal 
information files could lead to excessive costs and 
Management adversity. This approach could be justified by 
the stringent requirements of security and the threat to 
individual privacy. The costs of maintaining a separate 
systen and losing the benefits of a shared data bass are 
factors which should be weighed in this decision. 
Integrating data into a data base may not be the problem if 
the elements (identifying particulars) have no purpose in 
being in that specific data base at all. The sensitivity of 
the personal data may vary thereby lending itself to levels 
OF elassifieation, Since the legislation may cause 
problems, existing record structure needs to be examined for 
legal records to establish what data fields may have to be 
changed to ccnform to the legal requirements. The mixing of 
the different sensitivity levels of data and sensitivity 
transience have created the need for reevaluation at the 
data field level. Presently, the technological approaches 
to store mixed levels of data either use an increased amount 
of storage or an immense amount of time. The existing 
technology for file structures does not have a simplified 
solution to this situation. The idea of simple aggregation 
of data such as statistical information has been suggested 
to alleviate this problem. The intent is that having a 
large number of records, even with certain sensitive 
elements contained in the record, will be sufficient to 
eliminate the threat of harm to an individual. One method 


is to input individual items, compute aggregate ( averades, 
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etc ), then destroy inputs. This is adequate if the 
organization only needs aggregates. Obviously, if the 
sensitive information is still in the data base after 
aggregation, no protection has been afforded. This ‘safety 
in numbers! attitude could be a simple method to employ, but 
does not insure that an unauthorized individual is prevented 
from obtaining the information in the files. Even if the 
sensitive information was given some serial number and cross 
referenced on another higher level file, this does not 
preclude the possibility of unauthorized access to the 


personal information. 


Software utilities may alter or delete personal 
information. This action substantiates the need FOL 
establishing a check of existing programs for compliance 
with the current legislation. DE unintentional 
modifications to legal records occur, further errors are 
created. The programs reguired to process the information 
should not increase faijacy in the process and decrease data 
integrity. By refusing to evaluate current software, the 
threat of individual harm persists. Checks to include 
privacy compliance in new programs should be added to 
current standards. Phas m insures continued protection of 
ida vidual rights and data integrity. Operating systems 
have been studied and designed around security, but existing 
systems are not totally immune to illegal penetration. ToO 
consistently patch holes and use the retrofit approach 
certainly does not insure unauthorized access and may create 


new paths of entry. 


It is a fact in our industry that a software approach to 
insuring security of files is only as effective as the 
hardware in which it is stored. Faulty machinerv which 
loses bits of data creates errors. Proper preventative 
Maintenance aids in maintaining a secure system. The 


eavesdropping Or page gt of electronic devices is 
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presently being researched. New methods of eliminating 
electronic fallout are being tryed and possible solutions 
exist in the near future. Currently, however, the problem 
Still exists. What are the legai impiications if personal 
information is obtained in this manner? How is one to 
provide for protection of personal information if current 
technology has nct advanced to the degree of furnishing a 
solution? Are the responsibilities of the computer industry 
to perhaps revert to simpler methods of processing 
information by eliminating third generation equipment and 
networks? This question, although harsh, is to point out 
the need for legislative personnel and computer personnel to 
work together in solving data processing problems. TO 
formulate realistic legislation toward computer processing 
entails careful deliberation on all phases of the industry 
Solored With the rights of the individual at a reasonable 


expense to all. 


Once the information has been generated, procedures for 
insuring proper safeguards for output should be maintained. 
Legal restrictions and verification of reports, tapes, 
mands, etc, for 'routine use* and 'the purpose for which 
originally intended' pose a problem of revising production 
procedures. The same possibilities of unintentional 
disclosure exist as with Oria te input., Certain 
precautions may include changing the output class so that 
computer operators may administratively provide a more 
secure environment for the output. For example, running 
those printouts only at certain times and aliowing only the 
dav idual who submitted the job to receive the output or 
re-locating a printer to a more restricted area where only 
authorized ¡personnel would see the Mie Ola & ON. IE 
carelessly discarded output is not destroyed, and 
unauthorized uses result, legally it is the responsibility 


eene computer facility and civil action may follow. 
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C. HARDWARE CONSIDERATIONS 


"Physical security measures are the first, line of 
defense against the risks which stem from the uncertainties 
in the environment as well as from the unpredictability of 
human behavior." [46] Computer architecture is not designed 
to fully eliminate the ability to obtain access to data 
through unauthorized methods. Some devices for insuring 
protection include memory protection schemes such as 
relocation and bounds registers, segmentation, paging and 
memory keys which allow limited access i.e. read-only. 
Error-detecting circuits and codes check almost all hardware 
errors in the computer. The problem of insuring privacy of 
data from a hardware standpoint includes those older 
Machines which do not have current technological features 
cor porated into their structure and the retrofit solution 
has not been successful in resolving illegal penstration. 
Regarding networks, the greatest potential of a break in 
security lies in the telecommunications line. electronic 
emanations are the greatest threat. As stated previously, 
solutions to this problem are being studied and a workable 


mesuit 1S expected soon. [37] 


i, Operating Systen 


ur ee ee cee eee 


The third-generation computer with operating systems 
Or master ccntrol programs have, generally, two modes of 
operation: supervisor (system) and problem (user). The 
supervisor mode enables one to execute priviledged 
instructions. These instructions include changing the state 
of the computer, starting input/output processors, changing 
protection rights of parts of the computer and altering the 
interrupt status of the machine. Obviously, one who has 


access to the supervisor mode for a specific computer has 
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access to any and all data associated with that computer. 
Previous cases of a user, intentionally or not, entering the 


supervisor state for harmful reasons have been recorded. 


One solution to avoiding this situation has been the 
‘patchwork! approach. When one "hole" was patched, another 
was created thereby initiating a more complex path to 
achieving the goal of illegally retrieving data. The 
procedures to insure that the supervisor mode is not 
obtained through illegal methods have so far not  Eroven 


totally successful. 


The storage protection mechanism in the operating 
system is a major factor in safeguarding personal data. Not 
only does it affect computer performance, -but if not 
properly implemented and controlled, sensitive data could 
become available to an unauthorized user. "Common 
protection mechanisms are checks on logical addresses or on 
physical addresses. The logical address check consists of a 
segment base containing the actual address and the segment 
length. The physical address protection employs separate 
key-to-lock mechanisms." [24] The proper utilization of this 
mechanism coupled with limited read-only or write-only 
access to the programs and data within the computer decrease 
a possibility of alteration and access to personal data and 
increase compliance with present legislation. Paid tang 
access to the master control program or operating system is 


another obvicus safeguard to be employed. 


N9 

e 
ru 
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ripheral Devices 


Consideration of direct access storage devices and 
tape drives includes the methods of erasing erroneous or 
out-of-date data contained on the medium. Therefore to 


insure security, writing over the entry could be 
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accomplished through hardware control while disconnected 
from the data channel. This method is preferred over the 
use of the operating system for this purposes since the 
latter may involve too many system services and extreme 


overhead. 


Tape drives can best be protected through 
administrative procedures. The tape labeling process is 
easily bypassed and in some cases access to the data tape is 
obtained by merely requesting the tape be mounted. One 
proposed solution is to color code specific devices which 
contain ¡personal information to easily determine the legal 
requirement for special protection. Wach regard to 
input/output devices, current designs are not adequately 
secure. Teleprocessing equipment provides the greatest 
threat of harm. In terminal systems, the need to identify 
the operator and terminal is real and valid. The solutions 
here vary from password to keyword voice spectro-analysis. 
In some Cases sign-ons are accomplished through hardware 


Goncrol. 


For unit record devices, limited access to the media 
and data through administrative measures is one solution. 
meer Checking codes, i.e., parity and cyclic checking must 
be required foE fie OL eCElon:;, and = ogic circuit 
redundance is necessary in the core critical hardware 


Bireuitry. 


D. SOFTWARE CONSIDERATIONS 


Certain administrative procedures for software have been 
Mentioned. It is the purpose of this section to discuss the 
technological aspects of programming with regard to privacy 


legislation. 
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The solutions mentioned in literature for software 
security have been costly and not necessarily realistic for 
the computer installation. For example, placing an 
indicator in each "legal record" has been suggested. This 
however requires space which may not be available and would 
require lengthening a computer record which may already be 
using all its allocated space. In older computer systens, 
storage techniques and programming are not as versatile as 
in newer systems and this implies obtaining a new computer 


system. Certainly this is not an easy task or decision. 


There are various types of attacks involving software 
which have been categorized by the Air Force Panel on 


Technology and Planning. [3] 


"In the case of implied sharing,the supervisor shares 
some of its work space with the problen prograns. 
Therefore, the problem program is free to access such 
resources as the catalog, and buffers in which proprietary 
information is kept. For example, the supervisor reads the 
security profile (the list of system data sets and user 
passwords) into the user's area to authenticate the user 
that 1S requesting access to a particular data set (date 
mule). However, because the information remaining in the 
Shared area (the user's area) and has not been overwritten, 
the current user now has access to other users' passwords." 
[24] 


Obviously, the solution is to eliminate botn supervisor 
and problem mode using the same work space. This means 
redesigning the operating system. If the system includes 
checks for location and use of the supervisor and insures 
the space has been overwritten before assigning it to a 
problem program then this threat is eliminated. Tis » Aer 


course delays use of system resources. The implication is 
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peeediniy not to be taken Lightly---- there is no thoroughly 


secure system. 


"In the case of scavenging, the word space is not Shared 
by the user's program, but neither is it cleared after being 
used by the supervisor. Therefore, if the user has access 
to it, he could gain access to sensitive information like 
passwords and authorization levels. ‘Another type of 
scavenging exists in the area of data management. On a 
direct access device, the system can allocate space for a 
file and then fill that file with sensitive data. When that 
file is deleted, its space may not be cleared by the systen. 
Therefore, when another user program gains control, the 
system could allocate that same space to the user so it is 
possible for him to read it and gain access to sensitive 
information that was left there previously. Temporary files 
used in the course of a job that contained sensitive data 


could also be candidates for scavenging." [ 24] 


To clear the workspace before it is used by the next jon 
would eliminate this type of attack. Technologically, this 
problem has been solved and should not be a factor in larger 
systems, In smaller, less sophisticated computer systems, 
the flexibility of the operating system is limited and 


stricter administrative controls and procedures are used. 


"Incomplete parameter Checking is a major weakness of 
contemporary operating systems that occurs at the interfaces 
between the system and the users! programs. Users call 
operating system functions in a manner similar to subroutine 
calls, using many parameters. By supplying addresses outside 
the space allocated to that user's program, three dangerous 


results are possible: 


1. The supervisor may obtain unauthorized data for that 


user. 
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2. A set of conditions can be generated to cause a system 


crash. 


a 


3. Control may be returned to the user in supervisor 


state." [24] 


To assure control of the supervisor state is not gained 
through this means requires redesign of the storage 
protection mechanisms as well as limited access to those 


addresses wherein the supervisor resides. 


"The asychronous interrupt method exploits a combination 
of poor system design and the handling of asynchronous 
interrupts. For example, suppose a remote terminal user is 
permitted two unsuccessful sign-ons before being terminate‘. 
When the system is designed to handle an interrupt before 
updating the counter used to linit this, unpredictable 


Results can occur. 


The trojan horse class of attack is used in an attempt 
to achieve the breakdown in security by introducing into the 
operating system programs with security holes. When a hole 
is activated, the "trojan horse" routine can be used to open 
any user files and gain access to classified data. For 
example, a software performance monitor, while evaluating a 
program, can gather sensitive data associated with that 


progran. 


The clandestine code change is a class of attack that is 
Closely related to the trojan horse attack. In this case, 
System programmers could insert code into the system that 
would form trapdoors. Indeed it is almost routine for 
systems programmers to add such trapdoor code to current 
Operating systems for legitimate systems programming 
purposes such as quick maintenance. At certain times and 


based on certain combinations these trapdoors may be 
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activated by a user from his program. This capability also 
exists for the persons who initially design the system, or 


for manufacturers who supply fixes to the system. 


The asynchronous attack has often been referred to as 
the time of check and time of use problem. When a user's 
program parameters were originally checked by the supervisor 
they were proper. But after the check and before their use, 
the user changed them so as to circumvent some protection 
feature of the system. This attack is possible because 
third-generation computers are able to process input/output 
and relinquish control back to the user zor concurrent 


processing." [ 24] 


These threats involve a redesign of the operating system 
and stricter security measures in software development. 
Controlling user access to the supervisor mode is re - 
emphasized. The creation of a security matrix for purposes 
of deciding who has authorized access to which resources is 
mandatory. The solutions to those threats as yet 
unconquered rely on the technological community to provide 


the answer. 


Legally, the question still remains: AS 
technologically possible to gain access to personal 
information and the state of the art has not conquered the 
method of attack, who is liable? E the computer 
installation has implemented all possible procedures to 
avoid unauthorized access, are they still subject to 
legislative penalties? The possibility of designing a 
totally secure software operating system into existing 
hardware is not realistic and would be extremely costly. 
Therefore more reliable program design, acceptance testing 


and standards is an alternative approach. 
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Possible safeguards to be employed include: proper 
decision making criteria (for example including all 
appropriate factors and changing them as circumstances 
warrant), avoiding logic errors caused by an invalid 
translation of reguirements between user and programmer, 
including a complete edit check for determining complete 
input data (this includes for instance a check for blank 
data fields leading to incomplete information), establishing 


standards and criteria for programming documentation. 


In a study conducted by the Government Accounting Office 
(GAO), the following software problems were researched. 
They are quoted as possible areas of improvement for more 


effective control in implementing privacy legislation. 


l: Adequate communication between the parties to 


software design. 


Dr Incorrect perceptions of the nature of actual 


transactions to be processed. 


3. Inadequate documentation preventing adeguate reviews 


of software. 


4. Time constraints hampering the effectiveness of the 


design process. 


E. Absence of written criteria or guidelines for 


designers to follow. 


6. Detail and complexity involved in designing, coding, 


and reviewing software 


Des Reliance on the expertise and experience of people 
doing the work. 
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8% Undetected changes in circumstances making the 


application obsolete. 


an State of the art of program testing which prevents 


testing all fossible conditions. [22] 


Certain solutions have been proposed to assist in the 
elimination of these sources of error. Tt ais noted that 
with today's technology, completely error-free software 
Cannot be designed, however the probability of inaccurate 
documentation can be reduced through implementation of 


applicable procedures. 


"-Documentation should be prepared that highlights (1) 
key portions of the automated decisionmaking criteria, (2) 
data elements that are critical to the decisionmaking, and 
(3) the edit checks placed (or justifications for omitting 
them) in the software. A formalized synopsis or these items 
Should be prepared for review and approval by top 


Management. 


-Qualified auditors or others who are independent of 
designers and users should review the designed application 
before it is placed into operation. Others could include a 
design team independent of the original designer and user. 
They would be responsible for evaluating the (1) adequacy of 
the decisionmaking eriteria, (2) logic in the coded 
application, and (3) needs and uses of edit checks to detect 


incomplete data elements put into the application. 


-Similar independent teams should review the operation 
of these applications shortly after they are inplemented. 
The objectives would be to evaluate the adequacy of the 
decisionmaking criteria in an operational environment and to 
provide fcr early detection of any bad decisions. This 


would allow for early correction of problems. 
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-Some form of cyclical system monitoring of actions 
initiated by operational automated decisionmaking 
applications should exist. Teams composed of (but not 
restricted to ) designers, users, and auditors could analyse 
application-initiated actions to (1) see if desired results 
were achieved in the best way, (2) identify unforeseen 
Circumstances that would require modifying the application, 
(3) determine that the actions were as the user and designer 
intended, and (4) insure that decisionmaking was not 
adversely affected by incomplete data not being screened by 


an edit check. 


-The designer and user should be physically located in 
the same place during design phases to allow for constant 
communication. In effect, the design would be a joint 
effort and would help to insure that adequate decisionmaking 


criteria were contained in the application. 


-Priorities should be established for software 
modification (changes) which are at least partially based on 
the cost of continuing incorrect automatic actions if no 


changes are made within a short time. 


-The initiator cf the needed software modification (for 
example, headquarters, user, audit team and/or others) 
Should be informed about the status of the change and be 
provided with confirmation that the changes have been made." 
[22] 


COST IMPLICATIONS 


"The cost of increased overhead created by additional 


Checking verification should not be greater than the value 
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of the resources being protected or the use of a secure 


system will be deterred." [24] 


The aspects of determining the cost of privacy include 
tangible and intangible factors. Past research has not 
accumulated a significant amount of statistical information 
on the subject and therefore concrete totals in time, 
manhours expended and money are not readily available to the 
general public. The tangible cost factors include the 
number of data subjects who will make inquires, the amount 
of executive personnel time necessary to handle data 
disputes, programming time to develop software to handle 
Privacy Act requirements and personnel training. There are 
three major facets of cost. Legitimate costs include 
conversion and operating costs. The third iS improper costs 
or those items or procedures which have been planned 
previously, but are now mandatory and are charged to privacy 
legislation. Examples include installing more physical 
Security hardware, purging or destroying obsolete data, 
installing a new data management system, or no longer 
collecting more personal information than is required. Lt 
is also conceivable that organizations may charge the 
privacy budget with miscellaneous expenses such as changing 


programs or re-converting application systens. 


The National Bureau of Standards has published "A 
Computer Model to Determine Low Cost Techniques to Comply 
with the Privacy Act of 1974" which was developed by 
Goldstein and Seward. (25, 42] The legitimate costs of 
privacy are portrayed in this model. This report, however, 
warns of using the figures in specific cases since the 
factors influence each agency in specific degrees. The 
elements used in the model are applicable to many aqdencies. 
however, it is left to the discretion of each individual 
installation to determine to what degree each factor affects 


their total cost and which elements may or may not be 
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applicable or are not included in the model. The twenty 
compliance steps (techniques) analysed by the model fall 
into four general categories : 

1. Subject Access Requirements 

2. Subject Control Requirements 
3. Data Usage Requirements 
y 


. Operating Procedure Requirements 


To provide clarity, the variable names used as input to 


the model are in parenthesis after each compliance ster. 


1. Subject Access Requirements 

A. Notify each subject of the existence and content 
eens record. 

(Record existence notification) 

B. Respond to inguiries from data subiects 
concerning the existence and content of their records. 

(Record existenze inguiry) 

cr Respond to inquiries from data subjects 
concerning the uses of their records. 

(Record uses inguiry) 

Deweerespond to complaints fron data subjects 
concerning the accuracy of their records. 


(Data accuracy inquiry) 


2. Subject Control Requirements 

A. Notify each subject whether he is obligated to 
provide data. 

(Data supply obligation notification) 

B. Obtain the consent of the data subject for each 
use of the data. 

(Consent for additional use) 

C. Obtain the consent of the data subject before 
transferring data to a less protected systen. 


(Consent to transfer data) 
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3. Data Usage Requirements 
A. Check the authorization of each request for 
data. 
( Check usage authorization) 
B. Maintain a log of all accesses to personal data. 
(Usage log maintenance) 
C. Include the data subject's statement with any 
release of disputed data. 
(Subject claim dissemination) 
| D. Send the subject's statement to all past 
recipients of disputed data. 
(Retroactive claim dissemination) 
Bee Assure that any system to which data is 
transmitted will provide adequate protection. 
(Record tranSmission) 
F. Notify the subject before data is released in 
compliance with legal process. 


(Legal process notification) 


Y. Operating Procedure Requirements 
A. Assure the accuracy and completeness of all 
Beeords. 
(Data accuracy) 
B. Include any additional data needed to give a 
Barr picture. 
(Additional data) 
C. Store a subject's statement of dispute with his 
ReGOrad. 
(Subject claim storage} 
D. Protect against threats and hazards to the 
security of the data. 
(Physical security) 
Aca all users in appropriate privacy 
procedures. 


(User training) 
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En Assure that his system meets all of the 
requirements. 

(System assurance) 

G. Publish a description of his system where it 
will be seen by most data subjects. 


(Public notice) 


The model then requires a determination of the value of 
various attributes which describe a personal data system. 
In all, seventy-five pieces of data are required. Examples 
are the size of the data base, volume of transactions, and 
the number and types of users. These factors are also used 
to determine whether a system has on-line capability and if 
a data management package is used. Certain attributes are 
matched with the regulatory requirements in a matrix format. 
These are then analysed to produce two output formats 
Me2peorts). "The first level of output from the model 
consists of estimates of the incremental amounts of various 
resources needed to meet each requirement. Incremental 
resource demands are calculated in order to provide an 
indication of what new costs would be incurred specifically 
because of the privacy legislation, and to avoid the 
probably insolvable problem of deciding what share of 
certain costs should be attributable to privacy, and what to 
other objectives. The impact model also distinguishes 
between conversion costs which are incurred only once to 
bring a system into compliance with the regulations, and 
ongoing costs which must be added to 'preprivacy' operating 
Moots." f 25] 


Conversion (nonrecurring) cost factors include physical 


security, operator and user training in privacy-oriented 


procedures, and programming required to develop 
legislatively mandatory capabilities. Thise is- tha ‘first 
output format which includes cost totals for each 
requirement. 
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Types of ongoing costs encompass maintaining an 
accurate data base and handling complaints and inquiries 
from data subjects. (The second section of the output 
consists of these expenses.) It is suggested the reports be 
placed side-by-side for most efficient analysis. "The 
general resource categories which are consid red are: 
manpower, data storage, information processing, data 
communications, and capital (which includes various items of 
equipment and supplies). Each of these categories is broken 


down into several subdivisions." [25] 


The model uses the following headers respectively: 
administration, storage, processing, data transmission, and 
Capital. Additionally, the number of programming nan-hours 


mor iisted. 


"Once the resource demands of each requirement have 
been computed, they are converted to money amounts using 
factors appropriate ‘for the specific installation, and are 
then aggregrated by resource and by requirement. This 
enables the quick identification of high-cost requirements 


and of resource areas experiencing heavy demands." [25] 


It is obvious that not all data bank systems will 
encounter the same level of conversion and ongoing costs. 
The data banks with information already publically available 
or of low sensitivety need to implement features that 
guarantee data integrity and prevent user interfsrence with 
each other. More sensitive information in on-line, shared 
and integrated data bank systems, however, nay require the 


installation of all known protection features. 


Certain conclusions reached by Goldstein about relative 
Memes are worth noting. With reguard to conversion costs, 
three areas were expensive. The first is the cost cf new 


forms which should include a notification of the rights of 
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the data subject when providing information on the form; 
second, the cost of installing a "satisfactory" physical 
security system; and third, employee training in the use of 
new procedures. In some instances programming sianificantly 
increases the cost of conforming to legislation. (Goldstein 
Suggests using general data base management packages to 


decrease conversion costs). 


Under the category of operating costs, the most 
expensive areas were: searching a file for the records of 
those individuals who inquire about the data in “h2 record 
and which organizations have the record and the executive 
personnel time required to process data subject's complaints 
about the accuracy of their records. The findings of the 
study by Goldstein are still preliminary and in sone 
instances his conclusions are not surprising. Until this 
model is used with other types of computer installations, it 
is Still nebulous as to what the costs of privacy 


legislaticn are. 
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III. CONCLUSIONS 


The privacy issue is extremely complex in nature. The 
proper balance of protecting individual rights through 
Management procedures, data considerations, and security 
measures is needed to insure compliance with legislation. 
This reevaluation of current systems and technology is 
intended to bring out important factors in maintaining 
compliance with legislation. To achieve the prover balance 
between the right of the individual and the’ rights of 
industry and government with regard to personal information 


is the ultimate ideal goal. 


Ensuring individual privacy protection extends from the 
state level to beyond a country's physical geographical 
border. [11,52] The nine Common Market countries have 
recognized the need for standard legislation on the 
international scale as is evidenced by the survey currently 
being conducted by the Commission On the European 
Communities. [11] One important fact is that the data 
processed in each country is not legally protected once it 
1s outside its borders. The issue is y2t to be resolved in 
the United States of America and Canada. It could have an 
enormous impact on private industry if H.R. 1984 becomes a 


law. 


The questions concerning Management of personal 
information still to be resolved are most importantly (1) if 
the computer installation personnel have implemented all 
possible measures through administrative, training and 
security procedures to protect an individual's personal data 


and the personal data is still obtained by unauthorized 
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means, who is responsible and liable for legal penalties? 
(2) if the "state of the art!’ technology is yet to soive the 
problem of a completely secure automated system, is the 
computer industry legally responsible for personal data 
obtained thrcugh currently unsolvable technological methods? 
and (3) to what extent should the computer manager implement 
procedures to insure that privacy legislation is complied 


with? 


Data accuracy can best be achieved through input 
validation procedures. If however, that data is inaccurate 
due to improper entry by the individual who is the subject 
of that data, then who is legally responsible? Again, a 
e latronship of trust must be reinforced between the data 
subject and the computer industry. Legally, the industry 1s 
not covered and unless they establish some protection 


procedures, a lawSuit could result. 


The problems associated with hardware lie mainly with 
the telecommunication systems (electronic emanations) and 
older computer systems which do not have all the internal 
security checks and protection mechanisms that ere in the 
third-generation systens. With regard. ıto electronic 
emanations, it is the researchers who must solve this 
problen. As for older computer systems, if computer 
installations have to change equipment to comply with 


legislation, it would be costly. 


One major problem is the compatability of "legal 
records" with "computer records". Legally, the tern record 
could mean only a part of a conputer record. This means 


reorganizing files and a new method of structuring data must 
be achieved. The complication of having a variety of data 
Sensitivity levels in a computer record can be costly to the 


computer installation. the issue is even more complex with 
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the requirement to retrieve all data held on a data subject 


should the irdividual request it. 


The data structure problem is both hardware and software 
connected. Limitations exist in the physical storage 
capacity of the equipment and the programs utilized in the 
processing of the data must be reevaluated for possible 
modification to a new system. Software auditing procedures 
must be implemented to insure unauthorized access is not 


possible, as well as unintentional modification of data. 


The cost of implementing privacy legislation has been 
analysed by Goldstein and Seward. Although it has only been 
used on a few types of systems (internal, financial, and 
governmental) the results are promising. The Purdue 
Informaticn Privacy Research Center is currently conducting 
research on the economic impact of privacy. [17] The results 
of this study should be of great value to the computer 


industry. 


This discussion has mentioned various proc2dures, 
technological and administrative, to be implemented in 
regard to decreaSing unauthorized access and increasing data 
accuracy as is required by the privacy legislation in effect 
today. It is not intended to cover all areas of the privacy 
Situation nor answer all questions. It is intended to 
emphasize major considerations faced by the computer 


industry with the advent of privacy legislation. 
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